The Personal Data Protection Commission (PDPC) has issued a S$4,000 fine against a computer service vendor for a programming error that resulted in the disclosure of the personal data of over 400 national servicemen (NSmen) in Jun last year, comprising the NSmen’s login identification, email addresses, delivery addresses and mobile numbers.

Option Gift Pte Ltd, the vendor responsible for handling Uniqrewards – an online portal for NSmen to redeem credits and gifts from the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA) – was found guilty of breaching Section 24 of the Personal Data Protection Act 2012 (PDPA), which stipulates that an organisation must take reasonable security steps or arrangements to prevent unauthorised access or disclosure of personal data under its control or possession.

Through Uniqrewards, NSmen may receive such rewards from MINDEF and MHA for performing well during in-camp training or courses, or to celebrate a significant event such as the birth of their child.

Citing Commissioner Tan Kiat How’s grounds of decision, Deputy Commissioner Yeong Zee Kin stated in a case report on Thu (6 Jun) that Option Gift “had full possession and control over the personal data that the Portal collects, uses, discloses and processes at all material times” as the administrator of Uniqrewards, and thus “had full responsibility for the security of the Portal, any changes to it, as well as the personal data processed by it”.

“In this regard, the Commissioner found that the Organisation had failed to conduct sufficient testing before rolling out the programme script,” he added.

The source of the lapse was traced to an Option Gift employee’s failure to reset a service account password in time according to the password expiry policy of 180 days “due to an oversight and a lack of reminders or warnings” on the expiration deadline. As a result, 427 NSmen did not receive confirmation emails for their redemption requests made between 22 May and 24 May last year.

Upon recognition of the incident on 23 May last year, Option Gift wrote a separate programme script to send out the confirmation emails in a bid to resolve the issue. However, the programme script was found to be faulty, as the programme script retained the email addressses of the recipients of the preceding Confirmation Emails in the “To:” field of the email each time a new Confirmation Email was generated.

“It merely added on the intended recipient’s email address, instead of replacing the previous recipient’s email address with the intended recipient’s,” the report revealed.

“This pattern of addressing the Confirmation Emails continued until the last recipient, who received only the Confirmation Email intended for him,” according to the report.

Following the data disclosure, Option Gift had mailed all the affected NSmen an apology and requested for them to delete all emails addressed by Uniqrewards which were not intended for them and had notified the Commission regarding the incident.

MINDEF and MHA had also respectively issued an apology to the affected NSmen on 13 Jun last year, and had urged the NSmen to delete any emails from Uniqrewards that were not intended for them. A month later, the affected NSmen were given S$80 worth of gift voucher per serviceman as a gesture of apology from Option Gift.

Option Gift has also indicated steps to buttress its security in order to prevent similar incidents in the future, including subjecting future changes in Uniqrewards to secondary checks during the development testing stage, a separate review of source codes written by developers, direct resending of confirmation emails via an enhancement of Uniqrewards’ backend system, and a standard operating procedure to document the process.

Option Gift will also “deploy an application, Sonarcloud, to analyse the quality of source codes. Sonarcloud would be used to detect bugs, vulnerabilities and code smells during the development process,” the report noted.

“In this case, software testing (i.e., development testing and user acceptance testing) was carried out on the programme script prior to its actual implementation. Investigations revealed a fundamental flaw in designing the test scenarios.

“The test scenario consisted of generating all 427 test emails but instead of picking up the recipient emails from a list of email addresses, each email was hardcoded to be sent to the same internal email address.

“Unsurprisingly, the Error, which would only have manifested itself if there was more than one recipient, was not detected,” according to the Commission.